10 Comments

Summary:

New leaks reveal how the government is using a massive secret program to break into personal, business and financial communications long considered secure. Here’s the most important takeaways.

In the latest development in the ongoing scandal over U.S. surveillance practices, new reports show that the National Security Agency can break into a wide range of encrypted internet communications that have long been considered secure.

The revelations come from former NSA contractor Edward Snowden, who obtained a trough of highly-classifed information and has been slowly leaking it to the Guardian and the New York Times. The news outlets, along with Pro Publica, set out the new facts on Thursday in long articles that include slides and technical details.

Here are three important findings as to how the government is using “supercomputers, technical trickery, court orders and behind-the-scenes persuasion” to access supposedly secure communications.

The U.S. government and its allies have “backdoors” to break into encrypted communications

In the 1990s, the Clinton White House lost a political battle to introduce the “Clipper chip,” which would have, in the words of the Times, “effectively neutered digital encryption by ensuring that the NSA always had the key” to devices and networking equipment.

After failing to obtain official permission, the NSA responded by creating a program called Bullrun that uses hacking techniques to create so-called “backdoors” into a wide variety of encrypted communications. For instance, the articles cite: email transmissions, bank networks, private computer networks, airlines and even “one foreign government’s nuclear department.”

The average person is most familiar with this type of encrypted communication through the little padlock symbol they see when using a banking or other secured site — it signifies that the communications that flow when the lock is present are supposed to be encrypted and unreadable. Now, in many cases, the government is able to crack those encryptions, or else get access to machines before a communication is encrypted, through the Bullrun program.

The program, which involves elite hacking and cryptography teams, is immense in scope. According to records, the government is spending $255 million this year — more than ten times what it spends on the controversial PRISM program — and $800 million since 2011.

Intelligence sources said in the reports that the backdoor programs are necessary to prevent “going dark” — allowing terrorists or criminals to foil eavesdropping through the use of encryption. In recent weeks, the tactics reportedly let America listen in on Al Qaeda and to Syria’s official communications about chemical weapons. The NSA is also sharing the tactics with its allies in the “Five Eyes” program: Britain, Canada, Australia and New Zealand.

Tech companies and privacy standards are compromised

The new disclosures also contain another major revelation: how successfully the NSA was able to apply human pressure in order to undermine security principles in standards-setting organizations and in companies like Microsoft. The result is that the government, in some cases, is obtaining the pre-built backdoors that it wanted in the first place.

In the case of Microsoft, the NSA has “pre-encryption access to Microsoft’s most popular services, including Outlook e-mail, Skype Internet phone calls and chats, and SkyDrive, the company’s cloud storage service,” the Times reported.

Meanwhile, the NSA is making a successful push to get encrypted traffic on the “big four” service providers: Hotmail, Google, Yahoo and Facebook. In response to the relentless pressure from the agency, the Times said, the tech companies capitulated.

The situation with the standards bodies is more nuanced. It involved the NSA deliberately planting weaknesses in what came to be the international norms for encryption — in other words, it made security protocols weaker than they should have been in order to exploit them:

“Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006,” said the Times, adding that the NSA is now the “sole editor” of official security standards.

The government hasn’t broken every form of encryption but we don’t know all the details

While the Bullrun program has allowed the government to gain access to a wide range of secure communications, its success has not been absolute.

Some forms of encryption, including the ones used by the leaker Edward Snowden, appear to be still secure.

Meanwhile, people can use a variety of other technical tricks to avoid the government’s tracking tools or at least minimize the risk of being discovered. Bruce Schneier, a security authority, described for the Guardian five of them here.

Despite Thursday’s detailed revelations, the precise scope of the government’s power to break encryption is not clear. This is in part because the New York Times and Guardian did not publish all that they know. While the government asked the news agencies not to publish the stories, they only withheld certain details.

(Image by Maksim Kabakou via Shutterstock)

You’re subscribed! If you like, you can update your settings

  1. It also matters what they’ll be able to break in a few years since they might still have the data.
    It’s a bit weird though how little talk there is about hardware makers, everybody is playing ball but them? If proof ever leaks about some of those giants it will be fun.

  2. I’m shocked that a spy agency has backdoors into ISP’s, etc, etc.

  3. I hope confidential documents from tech companies and phone carriers leak out from the NSA. It would be just punishment for those companies that cooperated with the NSA.

  4. Reblogged this on Jesse Talks Back and commented:
    VERY important! Read and understand!

  5. The two big questions are (1) do regular people understand what this means and (2) what will they do about it?

    The vast majority of regular people do not understand what this means. And, even if they did, they will not do much more than complain. After all, how has it hurt them up to now? Plus, it is all done in the name of fighting terrorism, and who could be against that, right?

  6. The two big questions are (1) do regular people understand what this means and (2) what will they do about it?

    The vast majority of regular people do not understand what this means. And, even if they did, they will not do much more than complain. After all, how has it hurt them up to now? Plus, it is all done in the name of fighting terrorism, and who could be against that, right?

    1. You know what Kip, abuse of power is still abuse. The ironic thing is as a sovereign nation our government is far and away the biggest terrorist on this planet and the irony of terrorists protecting us from terror is beyond fathomable!

      To blindly accept that is to just give up your rights as fore fathers envisioned them. I for one will NOT condone that.

      You may want to toss away your civil liberties with nary a worry, but many of us wont!

    2. You know what Kip, abuse of power is still abuse. The ironic thing is as a sovereign nation our government is far and away the biggest terrorist on this planet and the irony of terrorists protecting us from terror is beyond fathomable!

      To blindly accept that is to just give up your rights as fore fathers envisioned them. I for one will NOT condone that.

      You may want to toss away your civil liberties with nary a worry, but many of us wont!

  7. If you want to keep something secret, don’t put it out on the Internet.

  8. Has anybody revisited the concerns about the NSA-promoted AES encryption algorithm, which Bruce Schneier and Niels Ferguson detailed on pages 56-58 of their widely praised and highly regarded book, Practical Cryptography? (ISBN: 0-471-22357-3)? To be blunt, everybody uses AES for everything, but Schneier and Ferguson pointed out a disturbing characteristic of AES, which they considered a potentially BIG weakness, because it would allow the algorithm to be cracked wide open if somebody knew how to do it. It always bothered me that NSA seemed so comfy with this algorithm. Given the fact that the spooks had RSA years before R, S and A discovered it, it’s entirely likely that the NSA knew how to crack AES before it was even selected, and just shut the heck up about it.

    Frankly, the world needs an independently selected encryption algorithm. I no longer trust AES. Just because the American government chooses something, doesn’t mean it’s actually secure. I’m sure that the weakness was known to the Russians and Chinese as well, and that just made things even dicier for us little people. They’ve probably ALL been reading our mail and lying about it.

Comments have been disabled for this post